Microsoft Identifies, Patches Another Critical RPC Hole

← Back to Stories (view on slashdot.org)

Microsoft Identifies, Patches Another Critical RPC Hole

Posted by timothy on Wednesday September 10, 2003 @08:40AM from the capn-we-need-more-glue-down-here dept.

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

19 of 604 comments (clear)

BOHICA by pheared · 2003-09-10 08:41 · Score: 5, Funny

Dupe? :-)
Been there, done that... by DavidBrown · 2003-09-10 08:42 · Score: 5, Insightful

MS update downloaded the patch and it's already installed. It seems to me that hardly anyone is hearing about these bugs nowadays until after MS updates Windows. The lesson here (other than the obvious and silly "Don't use Windows") is to run MS update.

--
144l. ph34r my 133t l3g4l 5k1lz!
1. Re:Been there, done that... by Col.+Klink+(retired) · 2003-09-10 08:48 · Score: 5, Informative
  
  In some places, we actually test that all of our critical applications will continue to run after applying patches to the OS rather than just blindly applying every patch and hoping nothing breaks.
  
  --
  -- Don't Tase me, bro!
2. Re:Been there, done that... by FearUncertaintyDoubt · 2003-09-10 08:53 · Score: 5, Insightful
  
  And anyone who has ever been burned by a MS patch that caused more problems than it prevented will tell you that you should never be the first guy to install a Windows patch.
  The reality that BillG refuses to acknowledge in his public statements is simply that you cannot "just install the patch" in an enterprise environment. It takes time. Time to evaluate the risks of installing vs. not installing, time to test (and resolve any issues that come up), time to develop a deployment plan, time to actually implement the deployment plan, and time to audit and follow up with everyone who 1) has somehow avoided installing it, 2) is a dial-up user and can't download it easily, 3) had their machine utterly crash after the patch was applied.
  Don't blame sysadmins. Blame MS for releasing patches which step on the heels of the deployment of the previous critical update. When a new patch comes out every 2 weeks, and a deployment may take 3 weeks, you've got a problem.
3. Re:Been there, done that... by Xerithane · 2003-09-10 09:00 · Score: 5, Interesting
  
  Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system.
  
  This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.
  
  I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
  
  But, if you believe the safest route to Windows is to leave it unpatched behind any firewall I hope you are never in charge of any networks. I'm sure even your non-Windows machines are amazingly insecure and waiting to be exploited.
  
  --
  Dacels Jewelers can't be trusted.
4. Re:Been there, done that... by gethane · 2003-09-10 09:02 · Score: 5, Interesting
  
  Yes, the love ms blaster hotfix provided by MS broke my network laser printing system. That was fun. First patch 200 systems, then have to fix network printing on them all..
  
  Joy Joy.
5. Re:Been there, done that... by frozenray · 2003-09-10 10:34 · Score: 5, Insightful
  
  This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.
  
  I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
  Where I work, this baby nearly slipped through QA (the error only occurs on certain levels of the Compaq RAID firmware, and the three original test servers had a newer revision of the firmware). Good thing one of the guys in QA (bless him) decided to do a little additional testing (and we use a staggered deployment scheme anyway), or we could potentially have faced 400 BSODing production servers.
  
  The fact that WU works fine for your single box (as it does for mine) unfortunately says nothing about the regular deployment of patches in a 36'000 seat / 800 server corporate network such as ours, even if stringent QA procedures are in place. Keep in mind that security fixes mean tighter security settings and that those can lead to application problems which can be very hard to find without an inordinate amount of QA.
  
  And by the way, SUS 1.1 might be fine for a small to medium network, but falls miserably short for large installations. We're praying that 2.0 will be better suited to our purposes because handling the pressure from the IRT case manager (who wants to deploy every fix immediately) and production (who doesn't tolerate downtime due to patch distribution) is not fun at all.
  
  Last but not least: having things like DBMS file systems in future OS releases might be cool - but we can live without them. Me, I'd settle for an OS with less bugs and security holes, thank you very much.
  
  --
  "There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
jebus h flippin' christ by Anonymous Coward · 2003-09-10 08:43 · Score: 5, Insightful

there is no excuse for anyone having RPC holes like ports 135-139 available on the internet. stupidity.
Todays /. Summary by grub · 2003-09-10 08:43 · Score: 5, Funny

Today's /. Summary:

Microsoft is poo. Of course you already knew that.
SCO are lying, thieving gypsies. You already knew that too.
Spammers are poo AND lying, thieving gypsies. Duh.
Cubism is leet, imagine a beowulf of those!
Java Web Services in a Nutshell is cool. Real geeks measure their O'Reilly books by the foot, not the title.
RIAA uses P2P stats but cornholes 12 year old girls.
Adrian Lamo surrended. Free Kev^H^H^HAdrian!
Film scanners are cool.. but who, other than professionals, use film?
SAGE confirms it, you make less than you should.
Gnome 2.4 is leet. It even works on *BSD (which is dying)

--
Trolling is a art,
For those out of work by GarbanzoBean · 2003-09-10 08:45 · Score: 5, Funny

Long live MS, the giver of work to all IT industry.
Bring it on... by gleffler · 2003-09-10 08:46 · Score: 5, Funny

This is great. 3 remote root holes in less than a month!

You question, "how can MS spin this positively?" They can call it "remote code execution" - sell it as a feature: "With this feature, anyone, anywhere in the world can run programs on your machine! Use it to get back at your enemies and to play pranks on your friends! Great fun for all!"
1. Re:Bring it on... by inertia187 · 2003-09-10 08:58 · Score: 5, Funny
  
  "What we've gone through in the last several years has caused some people to question 'Can we trust Microsoft?'" - Steve Ballmer
  
  "I don't know what a monopoly is until somebody tells me." - Steve Ballmer
  
  "I think it would be absolutely reckless and irresponsible for anyone to try and break up this company [Microsoft]." - Steve Ballmer
  
  "We [Microsoft] don't have a monopoly. We have market share. There's a difference." - Steve Ballmer
  
  "Accessible design is good design." - Steve Ballmer, Microsoft, CEO, June 13, 2001
  
  "I have four words for you: I LOVE THIS COMPANY, YEAH!" - Steve Ballmer ballmer_dance.mpg
  
  You can't make this stuff up.
  
  --
  A programmer is a machine for converting coffee into code.
We need PUBLICITY, or no one will know or care. by JessLeah · 2003-09-10 08:48 · Score: 5, Insightful

Color me (-1, Troll), but what are the chances that the public will know or care about this? Most of my clients/coworkers/friends/family members are "just average users" who use Word, IE and Outlook, and who barely even know what a computer virus is. They certainly don't know what a "bug" or "vulnerability" is, and their grasp of computer security generally ranges from tenuous down to completely nonexistant. (My mother used to think that running a LAN in our home was "illegal", since every time her computer said "Application X has performed an illegal operation", she freaked out and asked if the cops were on their way!) Until this sort of thing ends up on the 6:00 news, as well as the front pages of USA Today and the New York Times, most people will not be aware that there is a problem. And when something happens, they will blame themselves, their kids for "messing with the computer", the last tech who touched their machine... or perhaps simply say "the computer's broken... durned computer..."

We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...

--
Honey, I shrunk the Cygwin
Re:Fine journalism by Anonymous Coward · 2003-09-10 08:51 · Score: 5, Informative

the worm crashed a Unix server.
It says, to be more precise, that the worm caused high volumes of network traffic causing the Unix server to malfunction. This wouldn't have happened had they not bridged the office network with the power station network. Guess what machines were on the office network and what operating system they were running and hence how the network was clogged in the first place.
Microsoft-specific Extensions by dprice · 2003-09-10 08:54 · Score: 5, Interesting

I love this phrase from Microsoft's description of the vulnerability. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft-specific extensions. The typical "embrace and extend" strategy Microsoft uses to pollute open standards. Looks like they included some buffer-overrun extensions.
had a good comment but... by nomadicGeek · 2003-09-10 09:04 · Score: 5, Funny

I have to reboot my laptop after installing the new update. Gotta go!

computer: "Would you like to reboot?"

me: Of course I like to reboot all the time. Otherwise I would be running Linux.
Of course you can't run windows in a power plant! by WebMasterJoe · 2003-09-10 09:21 · Score: 5, Funny

Why, these days, all the big systems are running OS's that end in the letter "X" - Linux, Unix, AIX, QNX, even Mac OS X. SCO, desperate by any means to be on the corporate radar, trades under "SCOX" just to try to level the playing field.

Windows can't compete with the "X." They tried with "NT," thinking two more common letters (and half of "can't," "won't," and "don't") would be a natural evolutional step, but that was unsuccessful until the third version, where the name was changed to "Windows 2000." This was partially successful because the name ends in a string of zeroes, which are nearly as powerful as a single, murderous "X," but not quite. The next iteration, Windows XP, is closer, but some marketing clown thought that sticking a P on the end would improve on the threatening, eat-your-children lure of the "X" - what resulted is a GUI that looks like it was designed to fit with the Habitrail plastic tubes.

Until Microsoft can get with the program and start developing an OS whose name ends in "X," the crucial systems of the world will continue to run other operating systems. Even then, the company may find it needs to double or triple its efforts and create Windows XXX. Other OS's, however, have seen the emerging trend and are planning to look at things from the other side - the beginning of the name. YAMacOS is tentatively scheduled for a code freeze in March 2005, three months before Microsoft's Windows XXX, currently codenamed Hindenburg, is scheduled for release.

--
I really hate signatures, but go to my website.
Re:MS Software Update Services (SUS) by PhreakOfTime · 2003-09-10 09:30 · Score: 5, Interesting

I noticed this too. After the update downloads, the application tripped my firewall on port 80. Nowhere in the update does it specify that this will be needed.

This bothers me for several reasons; 1) I administer many machines that are off site. They have been set up as tight as can be which keeps me from having to drive to the furthest ones which are over 200 miles away. Now I have to allow a program downloaded from a NON-SECURED web site to run freely while accesing the internet? How did this strike anyone as a good idea? 2) Well, there is no 2 just yet as I havent had time for all the negative consequences to hit yet.

Im sure with a little tinkering, this can be resolved, hell Ill just put that IP into my routing table and hit it to a local box or something...
Exploit by the end of the day?!?!?! by djembe2k · 2003-09-10 09:40 · Score: 5, Informative

FYI: In an article at SecurityFocus, an "expert" says that:
hackers could launch attacks against unprotected systems as early as day's end. "It's going to be trivial," he said. "This is an instant replay of a few weeks ago."
And this post from BugTraq today seems also to suggest that there's no reason this won't be in the wild just about any minute.